Off-site user access control
First Claim
1. A method for off-site access control in a communications system, the method comprising:
- receiving, by a router, a communication request from a user device for communications over the Internet, the user device being communicatively coupled with a site-based communications network, and the router controlling access between the site-based communications network and the Internet;
determining, by the router, whether the user device is one of a plurality of authorized devices included on an access control list maintained by the router;
when the user device is one of the authorized devices included on the access control list, automatically routing, by the router, outgoing network traffic originating from the user device to the Internet; and
when the user device is not one of the authorized devices included on the access control list;
forwarding, by the router, one or more packets forming the communication request from the user device to an off-site authentication system over the Internet without modifying the one or more packets;
receiving a captive authentication portal from the off-site authentication system for the user device to become authorized to communicate as requested over the Internet;
communicating the captive authentication portal from the router to the user device;
receiving an authentication request from the user device according to the captive authentication portal;
forwarding the authentication request to the off-site authentication system;
receiving an authentication response from the off-site authentication system according to the authentication request, the authentication response directing the router to add the user device to the access control list;
adding the user device to the access control list by the router according to the authentication response; and
after adding the user device to the access control list, automatically routing, by the router, outgoing network traffic originating from the user device to the Internet.
5 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods are described for off-site user access control to communications services via a site-based communications network. Embodiments operate in context of sites, each having one or more site-based networks in communication with external networks via one or more on-site routers. User devices are provided with controlled access to those external networks via wired or wireless connections between those user devices and the site based networks. In some embodiments, on-site routers maintain route maps that indicate which user devices are authorized. Standard routing functions are used so that traffic from authorized devices is routed normally, while traffic from unauthorized devices is automatically forwarded to an off-site (e.g., cloud-based) authentication system. As devices become remotely authenticated, the off-site authentication system can remotely update route maps of the on-site routers to add those devices.
-
Citations
20 Claims
-
1. A method for off-site access control in a communications system, the method comprising:
-
receiving, by a router, a communication request from a user device for communications over the Internet, the user device being communicatively coupled with a site-based communications network, and the router controlling access between the site-based communications network and the Internet; determining, by the router, whether the user device is one of a plurality of authorized devices included on an access control list maintained by the router; when the user device is one of the authorized devices included on the access control list, automatically routing, by the router, outgoing network traffic originating from the user device to the Internet; and when the user device is not one of the authorized devices included on the access control list; forwarding, by the router, one or more packets forming the communication request from the user device to an off-site authentication system over the Internet without modifying the one or more packets; receiving a captive authentication portal from the off-site authentication system for the user device to become authorized to communicate as requested over the Internet; communicating the captive authentication portal from the router to the user device; receiving an authentication request from the user device according to the captive authentication portal; forwarding the authentication request to the off-site authentication system; receiving an authentication response from the off-site authentication system according to the authentication request, the authentication response directing the router to add the user device to the access control list; adding the user device to the access control list by the router according to the authentication response; and after adding the user device to the access control list, automatically routing, by the router, outgoing network traffic originating from the user device to the Internet. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A non-transitory processor-readable medium comprising executable instructions that when executed by one or more processors cause the one or more processors to perform a method of:
-
receiving, by a router, a communication request from a user device for communications over the Internet, the user device being communicatively coupled with a site-based communications network, and the router controlling access between the site-based communications network and the Internet; determining, by the router, whether the user device is one of a plurality of authorized devices included on an access control list maintained by the router; when the user device is one of the authorized devices included on the access control list, automatically routing, by the router, outgoing network traffic originating from the user device to the Internet; and when the user device is not one of the authorized devices included on the access control list; forwarding, by the router, one or more packets forming the communication request from the user device to an off-site authentication system over the Internet without modifying the one or more packets; receiving a captive authentication portal from the off-site authentication system for the user device to become authorized to communicate as requested over the Internet; communicating the captive authentication portal from the router to the user device; receiving an authentication request from the user device according to the captive authentication portal; forwarding the authentication request to the off-site authentication system; receiving an authentication response from the off-site authentication system according to the authentication request, the authentication response directing the router to add the user device to the access control list; adding the user device to the access control list by the router according to the authentication response; and after adding the user device to the access control list, automatically routing, by the router, outgoing network traffic originating from the user device to the Internet.
-
-
11. A router disposed in a site-based communications network for controlling access between the site-based communication network and an external network, the router comprising:
-
a storage device storing therein a route map indicating a plurality of authorized user devices, the route map operable to designate traffic originating from any of the plurality of authorized devices for routing to the external network, and operable to designate traffic originating from any user device that is not one of the plurality of authorized devices for forwarding to an off-site authentication system; and a communications subsystem operable to; receive a communication request from a user device communicatively coupled with the site-based communications network, the communication request being for communications to the external network; route outgoing network traffic originating from the user device to the external network when the communication request is designated as originating from one of the plurality of authorized devices according to the route map; and when the communication request is designated as originating from other than one of the plurality of authorized devices according to the route map; forward one or more packets forming the communication request to the off-site authentication system over the external network without modifying the one or more packets; receive a captive authentication portal from the off-site authentication system for the user device to become authorized to communicate as requested over the external network; communicate the captive authentication portal to the user device; receive an authentication request from the user device according to the captive authentication portal; forward the authentication request to the off-site authentication system; receive an authentication response from the off-site authentication system according to the authentication request, the authentication response directing the router to add the user device to the plurality of authorized devices; update the route map to include the user device as one of the plurality of authorized user devices according to the authentication response; and route outgoing network traffic originating from the user device to the external network after updating the route map according to the authentication response. - View Dependent Claims (12, 13, 14)
-
-
15. An off-site authentication system in communication with a plurality of on-site routers, each of the on-site routers disposed within a site-based network for controlling access between the site-based network and an external network, the off-site authentication system comprising:
-
a router controller operable to; receive, from an on-site router, a communication request originating from a user device, the user device being communicatively coupled with a site-based communications network of the on-site router, the communication request being for communications over the external network, and the on-site router operable so that traffic originating from any of a plurality of authorized user devices is automatically routed to the external network, and one or more packets forming traffic originating from any user device that is not one of the plurality of authorized devices is automatically forwarded to the off-site authentication system without modifying the one or more packets; and an authentication subsystem in communication with the router controller, and operable to; communicate a captive authentication portal for the user device to become authorized to communicate as requested external to the site-based network; receive an authentication request from the user device via the on-site router according to the captive authentication portal; and determine that the user device is authorized to communicate as requested over the external network according to the authentication request; wherein the router controller is further operable to communicate an instruction to the on-site router directing the on-site router to update a route map to indicate that the user device is authorized to communicate at least as requested over the external network according to the determination of the authentication subsystem. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification